Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2019-11-06T18:30:42.787547Z

Updated: 2024-09-17T04:24:03.024Z

Reserved: 2019-01-07T00:00:00

Link: CVE-2019-5642

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2019-11-06T19:15:12.360

Modified: 2019-11-13T14:28:18.777

Link: CVE-2019-5642

cve-icon Redhat

No data.